What's new in Microsoft Defender for Cloud Apps

Note

Microsoft Defender for Cloud Apps (previously known as Microsoft Cloud App Security) is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This will simplify workflows, and add the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.

Applies to: Microsoft Defender for Cloud Apps

This article is updated frequently to let you know what's new in the latest release of Microsoft Defender for Cloud Apps.

RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: https://learn.microsoft.com/api/search/rss?search=%22frequently+to+let+you+know+what%27s+new+in+the+latest+release+of+Microsoft+Defender+for+Cloud+Apps%22&locale=en-us&facet=

Note

Threat protection product names from Microsoft are changing. Read more about this and other updates here. We'll be using the new names in future releases.

For more information on what's new with other Microsoft Defender security products, see:

Note

As of August 28 2022, users who were assigned an Azure AD Security Reader role won't be able to manage the Microsoft Defender for Cloud Apps alerts. This change will be gradually rolled out to all customers over the next several weeks. To continue to manage alerts, the user's role should be updated to an Azure AD Security Operator.

Defender for Cloud Apps release 237, 238 and 239

October 30, 2022

  • Native Integration of Microsoft Defender for Cloud Apps in Microsoft 365 Defender is now in public preview
    The entire Defender for Cloud Apps experience in Microsoft 365 Defender is now available for public preview.

    SecOps and security admins will experience these major benefits:

    • Time and costs saved
    • Holistic investigation experience
    • Additional data and signals in advanced hunting
    • Integrated protection across all security workloads

    For more information, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.

Defender for Cloud Apps release 236

September 18, 2022

Defender for Cloud Apps release 235

September 4, 2022

  • Log Collector version update
    We've released a new log collector version with the latest vulnerabilities fixes.

    New version: columbus-0.235.0-signed.jar

    Main changes:

    • Docker image was rebuilt with latest updates
    • Openssl library was update from 1.1.1l to 1.1.1q
    • fasterxml.jackson.core.version was updated from 2.13.1 to 2.13.3

    If you wish to update the version, stop your log collectors, remove the current image, and install a new one.
    To verify the version, run this command inside the Docker container: cat var/adallom/versions | grep columbus-
    For more information, see Configure automatic log upload for continuous reports.

  • Onboarding application to session controls (Preview)
    The process of onboarding an application to be used for session controls has been improved and should increase the success rate of the onboarding process. To onboard an application:

    1. Go to the Conditional Access App Control list in Settings -> Conditional access app control.
    2. After selecting Onboard with session control, you're presented with an Edit this app form.
    3. To onboard the application to session controls, you must select the Use the app with session controls option.

    For more information, see Deploy Conditional Access App Control for catalog apps with Azure AD.

Defender for Cloud Apps release 234

August 21, 2022

  • Feature parity between commercial and government offerings
    We've consolidated the flow that allows Microsoft Defender for Cloud Apps data to be consumed through Microsoft 365 Defender. To consume this data in Microsoft Defender for Cloud, Microsoft 365 Defender should be used. For more information, see Microsoft 365 Defender delivers unified XDR experience to GCC, GCC High and DoD customers and Connect Microsoft 365 Defender data to Microsoft Sentinel.

  • Protecting apps that use non-standard ports with session controls
    This feature allows Microsoft Defender for Cloud Apps to enforce session policies for applications that use port numbers other than 443. Splunk and other applications that use ports other than 443 will now be eligible for session control.
    There's no configuration requirement for this feature. The feature is currently in preview mode. For more information, see Session controls.

Defender for Cloud Apps release 232 and 233

August 7, 2022

  • MITRE techniques
    The Defender for Cloud Apps threat protection anomaly detections will now include MITRE techniques and sub-techniques where relevant, in addition to the MITRE tactic that already exists. This data will also be available in the alert's side pane in Microsoft 365 Defender. For more information, see How to investigate anomaly detection alerts.

Important

Deprecation of old proxy suffix domains for session controls (gradual rollout)
From September 15 2022, Defender for Cloud Apps will no longer support suffix domains in the form <appName>.<region>.cas.ms.
In November 2020, we moved to suffix domains in the form of <appName>.mcas.ms, but still provided grace time to switch from the old suffixes.
End users will have very little chance of encountering navigation problems on such a domain. However, there may be situations where they may have issues - for example, if bookmarks are saved in the old domain form or an old link is stored somewhere.

If users encounter the following message:

The connection for this site is not secure.
missing.cert.microsoft.sharepoint.com.us.cas.ms sent an invalid response

They should manually replace the URL section .<region>.cas.ms with .mcas.us.

Defender for Cloud Apps release 231

July 10, 2022

  • Malware hashes available for SharePoint and OneDrive (Preview)
    In addition to file hashes available for malware detected in non-Microsoft storage apps, now new malware detection alerts will provide hashes for malware detected in SharePoint and OneDrive. For more information, see Malware detection.

Defender for Cloud Apps release 230

June 26, 2022

  • SaaS Security Posture Management capabilities for Salesforce and ServiceNow
    Security posture assessments are available for Salesforce and ServiceNow. For more information, see Security posture management for SaaS apps.

Defender for Cloud Apps release 227, 228, and 229

June 14, 2022

  • Admin audit enhancements
    Additional Defender for Cloud Apps admin activities have been added:

    • File monitoring status - switching on/off
    • Creating and deleting policies
    • Editing of policies has been enriched with additional data
    • Admin management: adding and deleting admins

    For each of the activities listed above, you can find the details in the activity log. For more information, see Admin activity auditing.

  • DocuSign API Connector is generally available
    The DocuSign API connector is generally available, providing you deeper visibility and control over your organization’s usage of DocuSign app. For more information, see How Defender for Cloud Apps helps protect your DocuSign environment.

Defender for Cloud Apps release 226

May 1, 2022

  • Improvements in malware detection for non-Microsoft storage apps
    Defender for Cloud Apps has introduced major improvements in the non-Microsoft storage apps detection mechanism. This will reduce the number of false positive alerts.

Defender for Cloud Apps release 225

April 24, 2022

  • Support for Rome and San Diego ServiceNow versions
    The Defender for Cloud Apps connector for ServiceNow now supports Rome and San Diego versions of ServiceNow. With this update, you can protect the latest versions of ServiceNow using Defender for Cloud Apps. For more information, see Connect ServiceNow to Microsoft Defender for Cloud Apps.

Defender for Cloud Apps release 222, 223, and 224

April 3, 2022

  • Updated severity levels for Defender for Cloud Apps anomaly detections
    The severity levels for Defender for Cloud Apps built-in anomaly detection alerts are being changed to better reflect the risk level in the event of true positive alerts. The new severity levels can be seen in the policies page: https://portal.cloudappsecurity.com/#/policy

Defender for Cloud Apps release 221

February 20, 2022

  • Egnyte app connector available in public preview
    A new app connector for Egnyte is available in public preview. You can now connect Microsoft Defender for Cloud Apps to Atlassian to monitor and protect users and activities. For more information, see Connect Egnyte to Microsoft Defender for Cloud Apps (Preview).

Defender for Cloud Apps release 220

February 6, 2022

Defender for Cloud Apps release 218 and 219

January 23, 2022

  • Atlassian app connector available in public preview
    A new app connector for Atlassian is available in public preview. You can now connect Microsoft Defender for Cloud Apps to Atlassian to monitor and protect users and activities. For more information, see Connect Atlassian to Microsoft Defender for Cloud Apps (Preview).

Defender for Cloud Apps release 216 and 217

December 26, 2021

Defender for Cloud Apps release 214 and 215

November 28, 2021

  • NetDocuments app connector available in public preview
    A new app connector for NetDocuments is available in public preview. You can now connect Microsoft Defender for Cloud Apps to NetDocuments to monitor and protect users and activities. For more information, see Connect NetDocuments to Microsoft Defender for Cloud Apps.

Cloud App Security release 212 and 213

October 31, 2021

  • Impossible travel, activity from infrequent countries/regions, activity from anonymous IP addresses, and activity from suspicious IP addresses alerts will not apply on failed logins.
    After a thorough security review, we decided to separate failed login handling from the alerts mentioned above. From now on, they'll only be triggered by successful login cases and not by unsuccessful logins or attack attempts. Mass failed login alert will still be applied if there are anomalous high amount of failed login attempts on a user. For more information, see Behavioral analytics and anomaly detection.

  • New anomaly detection: Unusual ISP for an OAuth app
    We've extended our anomaly detections to include suspicious addition of privileged credentials to an OAuth app. The new detection is now available out-of-the-box and automatically enabled. The detection can indicate that an attacker has compromised the app and is using it for malicious activity. For more information, see Unusual ISP for an OAuth app.

  • New detection: Activity from password-spray associated IP addresses
    This detection compares IP addresses performing successful activities in your cloud applications to IP addresses identified by Microsoft’s threat intelligence sources as recently performing password spray attacks. It alerts about users that were victims of password spray campaigns and managed to access your cloud applications from those malicious IPs. This new alert will be generated by the existing Activity from suspicious IP addresses policy. For more information, see Activity from suspicious IP addresses.

  • Smartsheet and OneLogin API connectors are now in general availability
    Smartsheet and OneLogin API connectors are now in general availability. You can now connect Microsoft Cloud App Security to Smartsheet and to OneLogin to monitor and protect users and activities. For more information, see Connect Smartsheet and Connect OneLogin.

  • New Shadow IT integration with Open Systems
    We've added native integration with Open Systems providing you with Shadow IT visibility into app use and control over app access. For more information, see Integrate Cloud App Security with Open Systems.

Cloud App Security release 209, 210, and 211

October 10, 2021

  • Slack API connector is now in general availability
    Slack API connector is in general availability, giving you more visibility in to, and control over, how your app is used in your organization. For more information, see How Cloud App Security helps protect your Slack Enterprise.

  • New warn experience for monitored apps with Microsoft Defender for Endpoint is now in general availability
    Cloud App Security has extended its native integration with Microsoft Defender for Endpoint. You can now apply soft block on access to apps marked as monitored using Microsoft Defender for Endpoint's network protection capability. End users will be able to bypass the block. The block bypass report will be available in Cloud App Security’s discovered app experience. For more information, see:

  • New discovered app experience in general availability
    As part of continuous improvement of our entity experiences, we're introducing a modernized discovered app experience to cover discovered web apps and OAuth apps and provide a unified view of an application entity. For more information, see Working with the app page.

Cloud App Security release 208

August 22, 2021

  • New discovered app experience in public preview
    As part of continuous improvement of our entity experiences, we're introducing a modernized discovered app experience to cover discovered web apps and OAuth apps and provide a unified view of an application entity. For more information, see Working with the app page.

  • App governance add-on to Cloud App Security available in public preview
    The app governance add-on to Microsoft Cloud App Security is a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions. For more information:

  • Smartsheet app connector available in public preview
    A new app connector for Smartsheet is available in public preview. You can now connect Microsoft Cloud App Security to Smartsheet to monitor and protect users and activities. For more information, see Connect Smartsheet to Microsoft Cloud App Security.

Cloud App Security release 207

August 8, 2021

  • New warn experience for monitored apps with Microsoft Defender for Endpoint (public preview)
    Cloud App Security has extended its native integration with Microsoft Defender for Endpoint (MDE). You can now apply soft block on access to apps marked as monitored using Microsoft Defender for Endpoint's network protection capability. End users will be able to bypass the block. The block bypass report will be available in Cloud App Security’s discovered app experience. For more information, see:

Cloud App Security release 206

July 25, 2021

  • New Cloud Discovery Open Systems log parser
    Cloud App Security's Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support the Open Systems format. For a list of supported log parsers, see Supported firewalls and proxies.

Cloud App Security release 205

July 11, 2021

  • Zendesk app connector available in public preview
    A new app connector for Zendesk is available in public preview. You can now connect Microsoft Cloud App Security to Zendesk to monitor and protect users and activities. For more information, see Connect Zendesk.

  • New Cloud Discovery parser for Wandera
    Cloud Discovery in Cloud App Security analyzes a wide range of traffic logs to rank and score apps. Now, Cloud Discovery includes a built-in log parser to support the Wandera format. For a list of supported log parsers, see Supported firewalls and proxies.

Cloud App Security release 204

June 27, 2021

  • Slack and OneLogin app connectors available in public preview
    New app connectors are now available for Slack and OneLogin in public preview. You can now connect Microsoft Cloud App Security to Slack and to OneLogin to monitor and protect users and activities. For more information, see Connect Slack and Connect OneLogin.

Cloud App Security release 203

June 13, 2021

  • Expose verified publisher indicating in O365 OAuth apps
    Cloud App Security now surfaces whether a publisher of an Office 365 OAuth app has been verified by Microsoft to enable higher app trust. This feature is in a gradual rollout. For more information, see Working with the OAuth app page.

  • Azure Active Directory Cloud App Security admin
    A Cloud App Security admin role has been added to Azure Active Directory (Azure AD), allowing the assignment of global admin capabilities to Cloud App Security alone via Azure AD. For more information, see Office 365 and Azure AD roles with access to Cloud App Security.

  • Export custom tag and app domains per discovered app
    Export to CSV in the discovered apps page now include the application's custom app tags and associated web domains. For more information, see Working with discovered apps.

    Important

    Enhanced proxy URL for access controls (gradual rollout)
    Starting in early July 2021, we will change our access endpoint from <mcas-dc-id>.access-control.cas.ms to access.mcas.ms. Make sure you update your network appliance rules before the end of June, as this can lead to access issues. For more information, see Access and session controls

Cloud App Security release 200, 201, and 202

May 30, 2021

  • Authentication Context (Step-Up Authentication) in public preview
    We've added the ability to protect users working with proprietary and privileged assets by requiring Azure AD Conditional Access policies to be reassessed in the session. For example, if a change in IP address is detected because an employee in a highly sensitive session has moved from the office to the coffee shop downstairs, step-up can be configured to reauthenticate that user. For more information, see Require step-up authentication (authentication context) upon risky action.

Cloud App Security release 199

April 18, 2021

  • Service Health Dashboard availability
    The enhanced Cloud App Security Service Health Dashboard is now available within the Microsoft 365 Admin portal for users with Monitor service health permissions. Learn more about Microsoft 365 Admin roles. In the dashboard, you can configure notifications, allowing relevant users to stay updated with the current Cloud App Security status. To learn how to configure email notifications and additional information about the dashboard, see How to check Microsoft 365 service health.

  • AIP support deprecated
    Label management from the Azure Information Protection portal (classic) is deprecated beginning April 1, 2021. Customers without AIP extended support should migrate their labels to Microsoft Purview Information Protection to continue using sensitivity labels in Cloud App Security. Without migration to Microsoft Purview Information Protection or AIP extended support, file policies with sensitivity labels will be disabled. For more information, see Understanding Unified Labeling migration.

  • DLP near real-time rollout completed for Dropbox, ServiceNow, AWS, and Salesforce
    New near real-time file scanning is available in Dropbox, ServiceNow and Salesforce. New near real-time S3 bucket discovery is available in AWS. For more information, see Connect apps.

  • Public preview for overriding privilege sensitivity labels
    Cloud App Security supports overriding sensitivity labels for files that were labeled outside Cloud App Security. For more information, see Apply labels directly to files.

  • Extended Advanced Hunting events
    We've expanded the available events in Cloud App Security. Microsoft 365 Defender Advanced Hunting now includes telemetry from Microsoft OneDrive, SharePoint Online, Office 365, Dynamics 365, Dropbox, Power BI, Yammer, Skype for Business, and Power Automate, in addition to Exchange Online and Teams, which were available until now. For more information, see Apps and services covered.

Cloud App Security release 198

Released April 4, 2021

  • Exclusion of Azure Active Directory groups entities from discovery
    We've added the ability to exclude discovered entities based on imported Azure Active Directory groups. Excluding Azure AD groups will hide all discovery-related data for any users in these groups. For more information, see Exclude entities.

  • API connector support for ServiceNow Orlando and Paris versions
    We have added support for the ServiceNow API connector to the Orlando and Paris versions. For more information, see Connect ServiceNow to Microsoft Cloud App Security.

  • Always apply the selected action even if data cannot be scanned
    We've added a new checkbox to Session policies that treats any data that can't be scanned as a match for the policy.

    Note

    Deprecation notice: this feature replaces both Treat encrypted as match, and Treat files that cannot be scanned as match, in addition to adding new functionality. New policies will contain the new checkbox by default, deselected by default. Pre-existing policies will be migrated to the new checkbox on May 30. Policies with either or both options selected will have the new option selected by default; all other policies will have it deselected.

Cloud App Security release 197

Released March 21, 2021

  • Status page deprecation notice
    On April 29, Cloud App Security will deprecate the service health status page, replacing it with the Service Health Dashboard within the Microsoft 365 Admin portal. The change aligns Cloud App Security with other Microsoft services and provides an enhanced service overview.

    Note

    Only users with Monitor service health permissions can access the dashboard. For more information, see About admin roles.

    In the dashboard, you can configure notifications, allowing relevant users to stay updated with the current Cloud App Security status. To learn how to configure email notifications and additional information regarding dashboard, see How to check Microsoft 365 service health.

  • OAuth app consents link
    We've added the ability to scope activity investigations to specific OAuth app's consent activities directly from the OAuth app view. For more information, see How to investigate suspicious OAuth apps.

Cloud App Security release 195 and 196

Released March 7, 2021

  • Enhanced Shadow IT discovery with Microsoft Defender for Endpoint
    We've further improved our Defender for Endpoint integration by leveraging enhanced signals for the Defender agent, providing more accurate app discovery and organizational user context.

    To benefit from the latest enhancements, make sure your organizational endpoints are updated with the latest Windows 10 updates:

  • Configurable session lifetime
    We're enabling customers to configure a shorter session lifetime for Conditional Access App Control. By default, sessions proxied by Cloud App Security have a maximum lifetime of 14 days. For more information about shortening session lifetimes, contact us at mcaspreview@microsoft.com.

Cloud App Security release 192, 193, and 194

Released February 7, 2021

  • Updates to Policies page
    We've updated the Policies page, adding a tab for every policy category. We also added an All policies tab to give you a complete list of all your policies. For more information about the policy categorization, see Policy types.

  • Enhanced Office 365 OAuth apps export
    We've enhanced the Office 365 OAuth apps activities export to CSV file with the Redirect URL of the OAuth apps. For more information about exporting OAuth app activities, see OAuth app auditing.

  • Updates to the portal interface
    In the coming months, Cloud App Security will be updating its User Interface to provide a more consistent experience across Microsoft 365 security portals. Learn more

Cloud App Security release 189, 190, and 191

Released January 10, 2021

  • New log collector version
    Upgraded Log collector for Shadow IT discovery is now available. It includes the following updates:

    • We've upgraded our Pure-FTPd version to the latest version: 1.0.49. TLS < 1.2 is now disabled by default.
    • We've disabled the "octet-counted" framing feature in RSyslog to prevent failed processing.

    For more information, see Configure automatic log upload for continuous reports.

  • New anomaly detection: Suspicious addition of credentials to an OAuth app
    We've extended our anomaly detections to include suspicious addition of privileged credentials to an OAuth app. The new detection is now available out-of-the-box and automatically enabled. The detection can indicate that an attacker has compromised the app and is using it for malicious activity. For more information, see Unusual addition of credentials to an OAuth app.

  • Enhanced auditing for Shadow IT discovery activities
    We've updated the auditing for Shadow IT activities to include actions performed by administrators. The following new activities are now available in the activity log and can be used as part of your Cloud App Security investigation experience.

    • Tagging or untagging apps
    • Creating, updating, or deleting log collectors
    • Creating, updating, or deleting data sources
  • New Data Enrichment REST API endpoints
    We've added the following Data Enrichment API endpoints enabling you to fully manage your IP address ranges using the API. Use our sample management script to help you get started. For more information about ranges, see Working with IP ranges and tags.

Cloud App Security release 187 and 188

Released November 22, 2020

  • New Shadow IT integration with Menlo Security
    We've added native integration with Menlo Security providing you with Shadow IT visibility into app use and control over app access. For more information, see Integrate Cloud App Security with Menlo Security.

  • New Cloud Discovery WatchGuard log parser
    Cloud App Security Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support the WatchGuard format. For a list of supported log parsers, see Supported firewalls and proxies.

  • New permission for Cloud Discovery global admin role
    Cloud App Security now allows users with the Cloud Discovery global admin role to create API tokens and use all Cloud Discovery related APIs. For more information about the role, see Built-in Cloud App Security admin roles.

  • Enhanced sensitivity slider: Impossible travel
    We've updated the sensitivity slider for impossible travel to configure different sensitivity levels for different user scopes, allowing enhanced control over the fidelity of alerts for user scopes. For example, you can define a higher sensitivity level for administrators than for other users in the org. For more information about this anomaly detection policy, see Impossible travel.

  • Enhanced proxy URL suffix for session controls (gradual rollout)
    On June 7, 2020, we started gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn't include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely block domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.

Cloud App Security release 184, 185, and 186

Released October 25, 2020

  • New enhanced alert monitoring and management experience
    As part of our ongoing improvements to monitoring and managing alerts, the Cloud App Security Alerts page has been improved based on your feedback. In the enhanced experience, the Resolved and Dismissed statuses are replaced by the Closed status with a resolution type. Learn more

  • New global severity setting for signals sent to Microsoft Defender for Endpoints
    We've added the ability to set the global severity setting for signals sent to Microsoft Defender for Endpoint. For more information, see How to integrate Microsoft Defender for Endpoint with Cloud App Security.

  • New security recommendations report
    Cloud App Security provides you with security configuration assessments for your Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) giving you insights into security configuration gaps in your multi-cloud environment. Now you can export detailed security recommendation reports to help you monitor, understand, and customize your cloud environments to better protect your organization. For more information about exporting the report, see Security recommendations report.

  • Enhanced proxy URL suffix for session controls (gradual rollout)
    On June 7, 2020, we started gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn't include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely block domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.

  • Updates to the Cloud App Catalog
    We've made the following updates to our Cloud App Catalog:

    • Teams Admin Center has been updated as a standalone app
    • Microsoft Office 365 Admin Center has been renamed to Office Portal
  • Terminology update
    We've updated the term machine to device as part of the general Microsoft effort to align terminology across products.

Cloud App Security release 182 and 183

Released September 6, 2020

  • Access and session controls for Azure portal GA
    Conditional Access App Control for the Azure portal is now generally available. For information about configuring these controls, see the Deployment guide.

Cloud App Security release 181

Released August 9, 2020

  • New Cloud Discovery Menlo Security log parser
    Cloud App Security Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support the Menlo Security CEF format. For a list of supported log parsers, see Supported firewalls and proxies.

  • Azure Active Directory (AD) Cloud App Discovery name displays in portal
    For Azure AD P1 and P2 licenses, we've updated the product name in the portal to Cloud App Discovery. Learn more about Cloud App Discovery.

Cloud App Security release 179 and 180

Released July 26, 2020

  • New anomaly detection: Suspicious OAuth app file download activities
    We've extended our anomaly detections to include suspicious download activities by an OAuth app. The new detection is now available out-of-the-box and automatically enabled to alert you when an OAuth app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.

  • Performance improvements using proxy caching for Session Controls (gradual rollout)
    We've made additional performance improvements to our session controls, by improving our content caching mechanisms. The improved service is even more streamlined and provides increased responsiveness when using session controls. Note that session controls don't cache private content, aligning with the appropriate standards to only cache shared (public) content. For more information, see How session control works.

  • New feature: Save security configuration queries
    We've added the ability to save queries for our security configuration dashboard filters for Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). This can help make future investigations even simpler by reusing common queries. Learn more about Security configuration recommendations.

  • Enhanced anomaly detection alerts
    We've extended the information we provide for anomaly detection alerts to include a mapping to the corresponding MITRE ATT&CK tactic. This mapping will help you understand the phase and impact of the attack and assist with your investigations. Learn more about How to investigate anomaly detection alerts.

  • Enhanced detection logic: Ransomware activity
    We've updated the detection logic for Ransomware activity to provide improved accuracy and reduced alert volume. For more information about this anomaly detection policy, see Ransomware activity.

  • Identity Security Posture reports: Tags visibility
    We've added entity tags to Identity Security Posture reports providing additional insights about entities. For example, the Sensitive tag can help you identify risky users and prioritize your investigations. Learn more about Investigating risky users.

Cloud App Security release 178

Released June 28, 2020

  • New security configurations for Google Cloud Platform (gradual rollout)
    We've expanded our multi-cloud security configurations to provide security recommendations for Google Cloud Platform, based on the GCP CIS benchmark. With this new capability, Cloud App Security provides organizations with a single view for monitoring the compliance status across all cloud platforms, including Azure subscriptions, AWS accounts, and now GCP projects.

  • New app connectors GA
    We've added the following app connectors to our portfolio of generally available API connectors, giving you more visibility into and control over how your apps are used in your organization:

  • New real-time malware detection GA
    We've expanded our session controls to detect potential malware using Microsoft Threat Intelligence upon file uploads or downloads. The new detection is now generally available out-of-the-box and can be configured to automatically block files identified as potential malware. For more information, see Block malware on upload.

  • Enhanced access and session controls with any IdP GA
    Access and session controls support for SAML apps configured with any identity provider is now generally available. For information about configuring these controls, see the Deployment guide.

  • Risky machine investigation enhancement
    Cloud App Security provides the ability to identify risky machines as part of your shadow IT discovery investigation. Now, we've added the Microsoft Defender Advanced Threat Protection Machine risk level to the machines page giving analysts more context when investigating machines in your organization. For more information, see Investigate devices in Cloud App Security.

  • New feature: Self-service disable app connector (gradual rollout)
    We've added the ability to disable app connectors directly in Cloud App Security. For more information, see Disable app connectors.

Cloud App Security release 177

Released June 14, 2020

  • New real-time malware detection (preview, gradual rollout)
    We've expanded our session controls to detect potential malware using Microsoft Threat Intelligence upon file uploads or downloads. The new detection is now available out-of-the-box and can be configured to automatically block files identified as potential malware. For more information, see Block malware on upload.

  • New access token support for access and session controls
    We've added the ability to treat access token and code requests as logins when onboarding apps to access and session controls. To use tokens, select the settings cog icon, select Conditional Access App Control, edit the relevant app (three dots menu > Edit app), select Treat access token and code requests as app logins, and then select Save. For more information about onboarding apps, see Onboard and deploy any app and Deploy featured apps.

  • Enhanced proxy URL suffix for session controls (gradual rollout)
    On June 7, 2020, we started gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn't include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely block domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.

  • New documentation
    Cloud App Security documentation has been expanded to include the following new content:

Cloud App Security release 176

Released May 31, 2020

  • New activity privacy feature
    We've enhanced your ability to granularly determine which users you want to monitor with the ability to make activities private. This new feature enables you to specify users based on group membership whose activities will be hidden by default. Only authorized admins have the option to choose to view these private activities, with each instance being audited in the governance log. For more information, see Activity privacy.

  • New integration with Azure Active Directory (Azure AD) Gallery
    We've leveraged our native integration with Azure AD to give you the ability to navigate directly from an app in the Cloud App Catalog to its corresponding Azure AD Gallery app, and manage it in the gallery. For more information, see Manage apps with Azure AD Gallery.

  • New feedback option available in selected policies
    We're interested in receiving your feedback and learning how we can help. So now a new feedback dialog gives you the opportunity to help improve Cloud App Security, when creating, modifying, or deleting a file, anomaly detection, or session policy.

  • Enhanced proxy URL suffix for session controls (gradual rollout)
    Starting June 7, 2020, we are gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn't include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely blocklist domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.

  • Performance improvements for Session Controls (gradual rollout)
    We've made significant network performance improvements to our proxy service. The improved service is even more streamlined and provides increased responsiveness when using session controls.

  • New risky activity detection: Unusual failed logon
    We've expanded our current capability to detect risky behavior. The new detection is now available out-of-the-box and automatically enabled to alert you when an unusual failed login attempt is identified. Unusual failed login attempts may be an indication of a potential password-spray brute force attack (also known as the low and slow method). This detection impacts the overall investigation priority score of the user.

  • Enhanced table experience
    We've added the ability to resize table column widths so that you can widen or narrow columns to customize and improve the way you view tables. You also have the option to restore the original layout by selecting the table settings menu and choosing Default width.

Cloud App Security release 175

Released May 17, 2020

  • New Shadow IT Discovery integration with Corrata (preview)
    We've added native integration with Corrata providing you with Shadow IT visibility into app use and control over app access. For more information, see Integrate Cloud App Security with Corrata.

  • New Cloud Discovery log parsers
    Cloud App Security Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support Corrata and Cisco ASA with FirePOWER 6.4 log formats. For a list of supported log parsers, see Supported firewalls and proxies.

  • Enhanced dashboard (gradual rollout) As part of our ongoing improvements to the portal design, we are now gradually rolling out the improved Cloud App Security dashboard. The dashboard has been modernized based on your feedback and offers an enhanced user experience with updated content and data. For more information, see Gradual deployment of our enhanced dashboard.

  • Enhanced governance: Confirm User Compromised for anomaly detections
    We've expanded our current governance actions for anomaly policies to include Confirm User Compromised allowing you to proactively protect your environment from suspicious user activity. For more information, see Activity governance actions.

Cloud App Security release 173 and 174

Released April 26, 2020

  • New SIEM agent CEF format for alerts
    As part of our effort to enrich the alert information provided in the CEF files used by generic SIEM servers, we've extended the format to include the following client fields:
    • IPv4 address

    • IPv6 address

    • IP address location

      For more information, see CEF file format.

  • Enhanced detection logic: Impossible travel
    We've updated the detection logic for impossible travel to provide improved accuracy and reduced alert volume. For more information about this anomaly detection policy, see Impossible travel.

Cloud App Security release 172

Released April 5, 2020

  • Enhanced access and session controls with any IdP (preview)
    Access and session controls now support SAML apps configured with any identity provider. The public preview of this new feature is now gradually rolling out. To configure these controls, see the Deployment guide.

  • New bulk deanonymization of users and machines
    We've expanded and simplified the process of deanonymizing one or more users and machines under investigation. For more information about bulk deanonymization, see How data anonymization works.

Cloud App Security release 170 and 171

Released March 22, 2020

  • New anomaly detection: Unusual region for cloud resource (preview)
    We've expanded our current capability to detect anomalous behavior for AWS. The new detection is now available out-of-the-box and automatically enabled to alert you when a resource is created in an AWS region where the activity is not normally performed. Attackers often leverage an organization's AWS credits to perform malicious activities such as crypto-mining. Detecting such anomalous behavior can help mitigate an attack.

  • New activity policy templates for Microsoft Teams
    Cloud App Security now provides the following new activity policy templates enabling you to detect potentially suspicious activities in Microsoft Teams:

    • Access level change (Teams): Alerts when a team's access level is changed from private to public.
    • External user added (Teams): Alerts when an external user is added to a team.
    • Mass deletion (Teams): Alerts when a user deletes a large number of teams.
  • Azure Active Directory (Azure AD) Identity Protection Integration
    You can now control the severity of Azure AD Identity Protection alerts that are ingested into Cloud App Security. Additionally, if you haven't already enabled the Azure AD Risky sign-in detection, the detection will be automatically enabled to ingest high severity alerts. For more information, see Azure Active Directory Identity Protection integration.

Cloud App Security release 169

Released March 1, 2020

  • New detection for Workday
    We've expanded our current anomalous behavior alerts for Workday. The new alerts include the following user geolocation detections:

  • Enhanced Salesforce log collection
    Cloud App Security now supports Salesforce's hourly event log. Hourly event logs give you accelerated, near real-time monitoring of user activities. For more information, see Connect Salesforce.

  • Support for AWS security configuration using a master account
    Cloud App Security now supports using a master account. Connecting your master account allows you to receive security recommendations for all member accounts across all regions. For more information about connecting with a master account, see How to connect AWS Security configuration to Cloud App Security.

  • Session controls support for modern browsers
    Cloud App Security session controls now includes support for the new Microsoft Edge browser based on Chromium. While we'll continue supporting the most recent versions of Internet Explorer and the legacy version of Microsoft Edge, the support will be limited and we recommend using the new Microsoft Edge browser.

Cloud App Security release 165, 166, 167, and 168

Released February 16, 2020

  • New block unsanctioned apps with Microsoft Defender ATP
    Cloud App Security has extended its native integration with Microsoft Defender Advanced Threat Protection (ATP). You can now block access to apps marked as unsanctioned using Microsoft Defender ATP's network protection capability. For more information, see Block access to unsanctioned cloud apps.

  • New OAuth app anomaly detection
    We've expanded our current capability to detect malicious OAuth app consent. The new detection is now available out-of-the-box and automatically enabled to alert you when a potentially malicious OAuth app is authorized in your environment. This detection leverages Microsoft security research and threat intelligence expertise to identify malicious apps.

  • Log collector updates
    The Docker-based log collector was enhanced with the following important updates:

    • Container OS version upgrade

    • Java security vulnerabilities patches

    • Syslog service upgrade

    • Stability and performance improvements

      We strongly recommend that you upgrade your environment to this new version. For more information, see Log collector deployment modes.

  • Support for ServiceNow New York
    Cloud App Security now supports the latest version (New York) of ServiceNow. To learn about securing ServiceNow, see Connect ServiceNow to Microsoft Cloud App Security.

  • Enhanced detection logic: Impossible travel
    We've updated the detection logic for impossible travel to provide enhanced coverage and better accuracy. As part of this update, we also updated the detection logic for impossible travel from corporate networks.

  • New threshold for activity policies
    We've added a threshold for activity policies to help you manage the volume of alerts. Policies that trigger a large volume of matches for several days are automatically disabled. If you receive a system alert about this, you should try refining policies by adding additional filters or, if you're using policies for reporting purposes, consider saving them as queries instead.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.